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About This Guide 


This guide describes how to configure and use NetWare® FTP Server. The guide is divided into the 
following sections: 

+ Chapter 1, “Overview,” on page 9 

+ Chapter 2, “Configuring NetWare FTP Server,” on page 13 

+ Chapter 3, “Managing and Administering NetWare FTP Server,” on page 25 

+ Chapter 4, “Cluster-Enabling NetWare FTP Server,” on page 47 

+ Chapter 5, “Migrating FTP from NetWare to OES 2 Linux,” on page 53 

+ Chapter 6, “NetWare FTP Server FAQ,” on page 55 

+ Appendix A, “NetWare FTP Server Messages,” on page 63 

+ Appendix B, “Documentation Updates,” on page 69 


Audience 


The guide is intended for NetWare administrators and end users who uses FTP. 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comments feature at the bottom of each page of the 
online documentation, or go to Novell Documentation Web site (http://www.novell.com/ 
documentation/feedback.html) and enter your comments there. 


Documentation Updates 


The latest version of this NetWare 6.5 FTP Server Administration Guide is available at the NetWare 
6.5 SP8 Documentation Web site (http://www.novell.com/documentation/nw65). 


Additional Documentation 


See the NetWare 6.5 SP8 Documentation Web site (http://www.novell.com/documentation/nw65). 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
in a cross-reference path. 


A trademark symbol a TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as LINUX* and UNIX*, should use forward slashes as required by your 
software. 


About This Guide 
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Overview 


NetWare® FTP Server software provides FTP service for securely transferring files to and from 
NetWare volumes. You can perform file transfers from any FTP client by using the NetWare FTP 
Server to log in to a Novell® eDirectory™ 8.7.3 tree. 


After logging in, you can navigate to other NetWare servers in the same eDirectory tree even if they 
are not running the FTP service. NetWare FTP Server is based on the standard ARPANET File 
Transfer Protocol that runs over TCP/IP and conforms to RFC 959. 


+ 


Section 1.1, “Features of the NetWare FTP Server,” on page 9 


1.1 Features of the NetWare FTP Server 


The main features of NetWare FTP Server software include the following: 


+ 


Secure Login 


Security extensions enable secure FTP clients that support SSL and TLS mechanism to 
establish secure connections with NetWare FTP server. 

See “Security Extensions” on page 29. 

Multiple instances of NetWare FTP Server software 


Multiple instances of NetWare FTP Server software can be loaded on the same NetWare server, 
providing different FTP services to different sets of users. 


See “Initializing Multiple Instances” on page 33. 

FTP access restrictions 

FTP access can be restricted at various levels through various types of access rights. 
See “Specifying Access Restrictions” on page 35. 

Intruder detection 


An intruder host or user who tries to log in using an invalid password can be detected and 
restricted. 


See “Managing Intruder Detection” on page 34. 
Remote server access 


FTP users can navigate and access files from other NetWare eDirectory servers in the same 
eDirectory tree whether or not the remote servers are running NetWare FTP Server software. 


See “Accessing a Remote Server” on page 30 and Table 2-2 on page 18. 
Anonymous user access 


An Anonymous user account can be set up to provide users with basic access to public files. 
Creating several anonymous user accounts with separate rights and contexts is now supported. 


See “Creating an Anonymous User” on page 26. 
Special SITE commands 


These NetWare commands can be used to change or view some of the NetWare server-specific 
parameters. 


Overview 


See “SITE Commands” on page 31. 
¢ Firewall support 


When the FTP client is behind a firewall and the NetWare FTP Server cannot connect to the 
FTP client, NetWare FTP Server software supports passive mode data transfer and the 
configuration of a range of passive data ports. 


See Table 2-1 on page 13. 
+ Active Sessions display 


You can view details of all the active FTP instances at a particular time, such as a list of all 
instances, details of each instance, all sessions in an instance, and all details of each session. 


See “Viewing Active Sessions” on page 39. 
+ Name space support 


NetWare FTP Server software can operate in both DOS and long name spaces. The FTP user 
can dynamically change the default name space by using one of the SITE commands. 


See “SITE Commands” on page 31. 
+ Simple Network Management Protocol error reporting service 


Simple Network Management Protocol (SNMP) traps are issued when an FTP login request 
comes from an intruder host or from a node address restricted through Novell eDirectory. The 
traps can be viewed on the management console. 


+ FTP logs 


The FTP service maintains a log of various activities: FTP sessions, unsuccessful login 
attempts, active sessions details, and system error and NetWare FTP Server-related messages. 


See “Monitoring FTP Log Files” on page 38. 
+ Welcome banner and message file support 


NetWare FTP Server displays a welcome banner when an FTP client establishes a connection, 
and also displays a message file when a user changes the directory in which the file exists. 


See Table 2-1 on page 13. 
+ MP Enabled 

The NetWare FTP Server is MP enabled. 
+ Web-based Administration 


You can configure the NetWare FTP Server by using the ¡Manager management utility. 
Through iManager, you can now run multiple instances of FTP on a server when separate IP 
addresses or ports are available. 


See Section 2.2, “Configuring by Using iManager,” on page 21. 

+ Cluster-enabled 
The NetWare FTP Server can be cluster-enabled for high availability and load balancing. 
See Chapter 4, “Cluster-Enabling NetWare FTP Server,” on page 47. 


+ FTP Server is now capable of establishing secure connections with secure FTP clients. After 
successful negotiation ofthe SSL/TLS mechanism, all the commands and replies are encrypted 


For details, see “Security Extensions” on page 29. 


+ The NetWare FTP Server has better performance compared to the previous release. 
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You can increase performance by using the following configurable parameters, which are 
included in the etc\ftpserv.cfg configuration file. 


+ The DATA BUFF SIZE parameter enhances the data transfer performance. 


+ The DEFAULT FTP CONTEXT parameter specifies the default context in which the 
users are searched. 


+ The KEEPALIVE TIME parameter specifies the timeout time (in minutes) to close a 
connection that might be broken on one side. 


+ The PSEUDO_PERMISSIONS parameter which includes 
PSEUDO FILE PERMISSIONS and PSEUDO DIR PERMISSIONS, specifies whether 
the FTP server should send UNIX-tvpe permissions or trustee rights for displav in the FTP 
client. 


+ The SECURE CONNECTIONS ONLY parameter lets you specify only secure FTP 
connections. 


By default, the changes made to the FTP Server configuration and restrictions file now take 
effect dynamically. If required, you can disable the dynamic configuration. 


For more details, see “Dynamic Configuration Updates” on page 25. 


When specifying a configuration file different from the default configuration file located at 
sys:etc\ftpserv.cfg, you can now specify the complete path of the file. 


The error handling is improved when compared to the previous release. 


Invalid configuration parameter values are updated appropriately when dynamic updates are 
enabled, and new configuration information and error messages are logged into the log files. 


Creating several anonymous user accounts with separate rights and contexts is now supported. 
For more details, see “Creating an Anonymous User” on page 26. 


NetWare FTP Server is highly scalable. It has been tested with 300 clients simultaneously for 
basic file transfer operations. 


NetWare FTP Server can now be used by UNIX clients. 
Ftpstat has been moved to a secure connection. 


Viewing FTP statistics over plain HTTP port 2500 is no longer available. Instead, statistics can 
be accessed via the Monitor Active Sessions link in FTP administration through iManager. 


Overview 
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Configuring NetWare FTP Server 


Before starting the NetWare® FTP Server software, configure the parameters in the configuration 
file. 


You can configure the parameters using one of the following methods: 


¢ Section 2.1, “Configuring by Using Files,” on page 13 
¢ Section 2.2, “Configuring by Using iManager,” on page 21 


2.1 Configuring by Using Files 


The default configuration file is sys: /etc/ftpserv.cfg. After you install NetWare FTP Server, 
this configuration file has all the parameters, commented with their default values. 


If you enter a non-integer value for parameters where integer values are required, then the FTP 
Server sets the value to 0 or default value of the parameter, if 0 is an invalid value. 


If invalid values are specified for parameters in the file, they are replaced by the default values 
where necessary. 


The following tables describe the configuration file parameters with the default values and range: 


+ General Configuration Parameters (page 13) 
+ Login Configuration Parameters (page 18) 
¢ Security Configuration Parameters (page 20) 


¢ Log Configuration Parameters (page 20) 


Table 2-1 General Configuration Parameters 


Parameter Default Value Description 
HOST_IP_ADDR IP address of the The IP address of the host, where NetWare 
host FTP Server software is loaded. 


Make sure that this value is in the standard 
IP address format and does not exceed 15 
characters. It should not contain any special 
characters such as @ # $ % 8 * ( )?< 2). 


Range = 0.0.0.0 to 255.255.255.254 
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Parameter Default Value 


FORCE_PASSIVE_ADDR 


FTP_PORT 21 
(Standard FTP port) 


MAX_FTP_SESSIONS 30 
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Description 


The public IP address to be exposed ina 
passive reply to FTP clients. This address 
need not bind to the NetWare server. It 
usually binds to a NAT device that routes 
between a private FTP server and a public 
FTP client. If commented out or set to 
0.0.0.0, FTP Server uses the 
HOST_IP_ADDR. 


Make sure that this value is in the standard 
IP address format and does not exceed 15 
characters. It should not contain any special 
characters such as @ # $ % 8 * ( )?< 2). 


Range = 0.0.0.0 to 255.255.255.254. 


Anytime FORCE_PASSIVE_ADDR is used 
and private clients need to contact the FTP 
server, a separate instance of FTP should be 
running on a secondary private-side IP 
address, with no public address set by the 
FORCE_PASSIVE_ADDR. 


This parameter is useful in the following 
scenarios: 


+ When FTP is on a secure connection 


+ Where the NAT device is not enhanced 
to look inside PASV replies to translate 
addresses there 


+ Where SSL is in use, so the data 
portion is encrypted and not visible to 
the NAT device 


The port number that the NetWare FTP 
Server should bind to and listen for 
connection requests from. 


Range = 0 to 65535 


If the port number value is not within the 
specified range, the FTP Server uses the 
default value. 


Maximum number of FTP sessions that can 
be actived at any point of time. Minimum 
value is 1. 


Maximum value = 231 -1 (2147483647) 


If this value is set to less than 0, the FTP 
Server uses the default value. 


Parameter Default Value 


IDLE_SESSION_TIMEOUT 600 


SECURE_CONNECTIONS_ONLY No 


DEFAULT_NAMESPACE Long 


DATA_BUFF_SIZE 64 


Description 


The time (in seconds) that any session can 
remain idle. 


Maximum value = 2% -1 (2147483647) 


The session never times out if the value is 
set negative. 


Restricts the use of non-secure FTP 
connections. 


Select NO, to allow both secure and non- 
secure data and control connections. 


Select YES, to allow secure control 
connections and both secure and non- 
secure data connections. 


Select STRICT, to allow secure data and 
control connections. 


The default name space. 
The valid values are DOS and LONG. 


Specifies the buffer size (in kilobytes) for the 
file transfer. It is applicable to both record 
and file structures. 


This parameter applies to the commands 
put, Is, get, and dir. 


Enter the value in the following format: 


DATA BUFF SIZE = 64 





Range = 4 to 1020 KB 


If the value is less than 4, the FTP Server 
takes the value as 4 KB. 


If the value is greater than 1020, the FTP 
Server takes 1020 KB. 


Optimum Buffer Size for Mixed 
Operations: 64 KB. 


Optimum Buffer Size for Store 
Operations: Increase the buffer size for 
large files. 


When setting the value, consider system 
resources such as memory, network 
bandwidth, and speed available. 


Configuring NetWare FTP Server 
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Parameter Default Value 


TRANSMITFILE_SUPPORT NO 

KEEPALIVE_TIME 10 

WELCOME_BANNER sys:\etc\welcom 
e.txt 
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Description 


This new parameter has been added in 
ftpserv.cfg to improve the performance 
of downloading large files. 


If this is set to YES, the FTP server uses 
new TransmitFile calls to transfer the file to 
the FTP client. Information is read from the 
file and directly written to the TCP socket. 


If this is set to NO, the FTP server uses a 
data buffer to read the information from file 
and writes it to the socket. 


The FTP Server uses the TransmitFile 
interface only while sending data from local 
volumes to an FTP client. 


Files being received (uploaded) by the FTP 
server are not impacted by this parameter. 


Record structure file transfer and remote 
server file transfer are not supported by 

TransmitFile. They use the existing data 
buffer transfer mechanism. 


Specifies the timeout time (in minutes) to 
close a connection that might be broken on 
one side. 


Range = 5 to 120 


If the value is less than 0, the FTP Server 
takes the value as 0. 


A value less than or equal to 0 minutes 
means no keep alive check is done. A value 
between 1 and 4 (both inclusive) or greater 
than 120 minutes is taken as 120 minutes. 


Vary the time based on FTP service usage. 
Typically, 10 minutes is adequate. However, 
for frequently broken connections (as is 
common with dial-up connections), decrease 
the timeout to clear broken connections 
faster. 


Some FTP clients might process keep alive 
packets incorrectly. In such a scenario, 
increase or disable the timeout to allow 
longer sessions without a keep alive check. 


The content of this file displays when the 
FTP client establishes a connection. 


The path with the filename can contain up to 
512 bytes. 


Parameter Default Value 


MESSAGE_FILE message.txt 


PASSIVE_PORT_MIN 1 


PASSIVE_PORT_MAX 65534 


PSEUDO_SERVER_FLAG 0 


PSEUDO_FILE_PERMISSIONS 644 


Description 


The content of this file displays when the 
user changes the directory. For this to occur, 
a file with that name must exist in the 
directory. 


The path with the filename can contain up to 
512 bytes. 


Minimum port number used for establishing 
passive data connection. 


Range = 1 to 65534 


If this value is not within the range, the FTP 
Server uses the default value. 


If this value is greater than the value 
specified for the maximum port number, the 
FTP Server uses the default values of both 
parameters. 


Maximum port number used for establishing 
a passive data connection. 


Range = 1 to 65534 


If this value not within the range, the FTP 
Server uses the default value. 


Specifies how the Netware FTP server 
should simulate UNIX FTP server behavior. 


It can take decimal values from 0 through 3. 
This value is converted to binary format and 
each bit is assigned a behavior. The LSB 
(least significant bit) denotes the reply string 
that is sent for the SYST command. 


If it is set to 1, the string is UNIX Type: L8. By 
default, it is NETWARE Type: L8.The next bit 
to the LSB denotes the format that the 
permissions should use when sent to the 
FTP client during a directory listing. 


If it is set to 1, then the UNIX-like format is 
sent. By default, the permissions are sent in 
NetWare trustee rights format. 


Specifies the pseudo permissions displayed 
for files in the FTP client. This does not 
impact the actual trustee rights available for 
the files. 


This parameter is considered only when the 
PSEUDO_PERMISSIONS parameter is set 
to ON; otherwise it is ignored. The value 
must be a three-digit octal value. Maximum 
value = 777. 
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Parameter Default Value Description 


PSEUDO_DIR_PERMISSIONS 755 Specifies the pseudo permissions displayed 
for directories in the FTP client. This does 
not impact the actual trustee rights available 
for the directories in any way. 


This parameter is considered only when the 
PSEUDO_PERMISSIONS parameter is set 
to ON; otherwise it is ignored. The value must 
be a three-digit octal value. Maximum value 
=777. 


DISABLE_PATH_DIR_LISTING No Enables or disables prefixing of the 
command argument path to the results while 
listing directories. 


The valid values are Yes and No. 


Table 2-2 Login Configuration Parameters 


Parameter Default Value Description 
DEFAULT_USER_HOME_SERVER Serverwhere FTP The name of the server, where the 
is running default home directory is on. 


The path can contain up to 97 bytes. 
DEFAULT_USER_HOME sys:\public The default home directory of the user. 


The path with the filename can contain 
up to 512 bytes. 


IGNORE_REMOTE_HOME No Specifies whether to ignore the home 
directory set in the Novell eDirectory 
user object, if it is on a remote server, 
and go to the default directory. 


The valid values are Yes and No. 


IGNORE_HOME_DIR No Specifies whether to ignore the home 
directory set in the eDirectory user 
object and go to the default directory. 


The valid values are Yes and No. 


DEFAULT_FTP_CONTEXT Specifies the default context in which 
the users will be searched. Specify this 
as fully distinguished name (FDN). If 
you do not set the default FTP context, 
or if the specified context is invalid, then 
the bindery context of the server, if 
available, is set as default FTP context; 
otherwise, the context of the server 
object is used. 
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Parameter Default Value Description 


SEARCH_LIST A list of fully distinguished names of 
containers (contexts) in which FTP 
users are to be looked for (without any 
spaces), separated by commas. The 
length of this string including the 
commas should not exceed 2048 bytes. 


Each context specified by a fully 
distinguished name must begin with a 
leading dot (.). 


You can specify a maximum of 30 
containers. 


To enable searching the user in the 
subtree under a search #container, 
append ':s' to the search container. 


RESTRICT_FILE sys:\etc\ftpr NetWare FTP Server can define access 
est.txt restrictions to various levels of users, 
hosts, etc. These restrictions are 
defined in a file, which can be specified 
here. 


The path with the filename can contain 
up to 512 bytes. 


ANONYMOUS_ACCESS No Specifies whether anonymous user 
access is allowed. 


The valid values are Yes and No. 


ANONYMOUS_HOME sys: public The home directory of the anonymous 
user. 


The path format is 


volumename: [/directory_name/ 


.] 
This path can contain up to 512 bytes. 


If colon (:) does not exist in the 
anonymous home directory, then the 
FTP Server uses the default (sys: / 
public) to be the anonymous user 
home directory. 


ANONYMOUS_PASSWORD_REQUIRED Yes Specifies whether to ask for an E-mail 
ID as the password for an anonymous 
user to log in. 


The valid values are Yes and No. 
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Table 2-3 Security Configuration Parameters 


Parameter Default Value 


INTRUDER_HOST_ATTEMPTS 20 


HOST_RESET_TIME 5 


INTRUDER_USER_ATTEMPTS 5 


USER_RESET_TIME 10 


Table 2-4 Log Configuration Parameters 


Parameter Default Value 
FTP_LOG_DIR sys:\etc 
MAX_LOG_SIZE 1024 
LOG_LEVEL 7 
FTPD_LOG FTPD 
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Description 


The number of unsuccessful login attempts before 
intruder host detection activates. 


The maximum value is 2 31 -1 (2147483647) 
attempts. 


Time interval (in minutes) during which the intruder 
host is not allowed to log in. 


The number of unsuccessful login attempts before 
intruder user detection activates. 


The maximum value = 2 31 -1 (2147483647) 


Time interval (in minutes) during which the intruder 
user is not allowed to log in. 


Description 


The directory where log files are stored. 
This path can contain up to 512 bytes. 


Do not give a filename that ends with a backslash 
(1) or a forward slash (/ ). Otherwise, the log file is 
not created. 


Maximum size (in KB) of the log files up to which 
messages will be logged. 


Range = 1 to 4194303 

Indicates the level of messages logged. 

1 =ERROR 

2 = WARNING 

4 = INFORMATION 

The following combinations can be given: 

3 = ERROR, WARNING 

5 =ERROR, INFORMATION 

6 = INFORMATION, WARNING 

7 = ERROR, WARNING, and INFORMATION 


The ftpd. log file is created automatically. This file 
contains all the internal system-related information 
that NetWare FTP Server encounters. 


The path with the filename can contain up to 512 
bytes. 


Parameter Default Value Description 


AUDIT_LOG FTPAUDIT The ftpaudit. log file is created automatically. 
This file contains details of user login activities. 


The path with the filename can contain up to 512 
bytes. 


INTRUDER_LOG FTPINTR The ftpintr.log file is created automatically. 
This file contains details of unsuccessful login 
attempts. 


The path with the filename can contain up to 512 
bytes. 


STAT_LOG FTPSTAT The ftpstst. log file is created automatically. This 
file contains details of all active sessions. 


The path with the filename can contain up to 512 
bytes. 


2.2 Configuring by Using iManager 


You can use the iManager management utility that NetWare 6.5 provides to configure the NetWare 
FTP Server. 





NOTE: The FTP Server iManager snap-in does not work in the Novell Remote Manager browser. 





¢ Section 2.2.1, “Installing FTP in iManager,” on page 21 
¢ Section 2.2.2, “Configuring FTP Server Settings,” on page 21 


2.2.1 Installing FTP in iManager 


Meet the following requirements for the FTP Admin to be installed in iManager. 


U Apache Web Server is selected during the NetWare 6.5 install. 
U ¡Manager 2.7 is selected during the NetWare 6.5 install. 





For more information about installing ¡Manager 2.7, refer to the Novell ¡Manager 2.7 
Installation Guide (http://www.novell.com/documentation/imanager27/imanager install 27/ 
data/hk42s9ot.html). 


To go to FTP plug-in, select Infrastructure category, then click File Protocols > FTP to launch 
the FTP Server Administration page. The links under Infrastructure category and under All 
categories refer to same plug-in object on the server. 


2.2.2 Configuring FTP Server Settings 
1 In iManager, click the Infrastructure category and click File Protocols > FTP to launch the 
FTP Server Administration page. 


In iManager 2.7, plug-ins are segregated based on categories they belong to. The FTP plug-in 
can be located in the Infrastructure category as well as in All categories, because the FTP link 
in both Infrastructure and All categories points to the same FTP Server Administration page. 
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2 Click the Object selector to select the server where you will administer the FTP Server. 


3 (Optional) Click Monitor Active FTP Sessions to view the number of active FTP instances and 
instance details such as IP address, port number, peak bandwidth, and the location of the 
configuration file. 


4 Inthe FTP Server Instances section, view the details of the FTP server instances. 


Use this section to select the instance that you want to configure, start, or stop. You can also use 
it to add or delete instances. 


5 Click the instance for which you want to configure the parameters. 
The General, User, Security, and Log tabs, are where you configure the parameters. 
6 Select the General tab to modify the FTP General parameters. 


Bice 
"AN 


REE 





Select General, User, 





Server IP address: 000 
Server passive IP address: 000 
FTP port: FT 
FTP sessions: B Maximum 
Idle session timeout: æ Seconds 

F Disable idle session timeout 
Secure connections only: F 
Defauit namespace: LONG y 
Data buffer size: | KB 
Keep alive time: fo Minutes 

F Disable keep ative tine 
Welcome banner file: [sysveterwelcomett = SSS 
Directory message file: [message txt 


z B B 
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Use General page to modify parameters related to multiple instances, FTP session, firewall port 
limits for passive connections, and simulation of UNIX FTP replies. Click Monitor to view the 
active sessions. 


7 Select the User tab to modify the FTP User settings. 





ı FTP Server Administration E 


Use this interface to modify tho NotWaro FTP Server configuration. Select General, User, 
Security or Log Tabs to modify the related configuration parameters 


General ATZ) Security \ Loe | 
Web publishing Enable 


When Web publishing is enabled, the default home directory t set to SYS: /APAOMEZIMTDOCS JF'TPWEBS 


Spectty NetWare server name in eDtrectory tree where user home directory exists. 


Defsut home server: [NPSDT-VAL-1 
Defaut home directory: fr Jpubliċ 


F Abways ure ‘Default home directory instead of the user's home directory from eDirectory. 
FT Use FTP Defaut hone directory if the user's home directory from eDirectory & not on the server 


where FTP ls runsing. 
Default FTP context: [ 
Context search list: [ 
FTP user restrictions file: ays jetoiprest txt 


Anonymous Users Altow 


Mecenas home directory modifications require anonymous user to be a trustee. 


| Anonymous user directory: sys /public 


Use this page to modify parameters for FTP login and anonymous access. 


8 Select the Security tab to modify intruder detection parameters such as host and user intruder 
detection settings. 





H FTP Server Administration B 





Use this interface to modify the NetWare erver configuration. Select General, User, 
Seturity or Log Tabs to modify the related configuration pararneters 


General. User Log 
Intruder tist: EXACTOS] 


Host Intruder Detection — F7 Enable 
Login attempts for detection: fo 
Login disable time after detection: B minutes 


User Intruder Detection F tmable 
Login attempts for detection: E 
Login disable time after detection: fro Minutes 


9 Select the Log tab to view FTP log files on the server. 
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| FTP Server Administration 


Use this interface to modify the NetWare FTP Server configuration. Select General, User, 
Security or Log Tabs to modify the related configuration parameters 


General \ User \ Security (E) 


Log directory: [eya sete 
Maximum log site: froze KB 
Messages of type: Errors, Warnings and Information $) 
Daemon log file: fipa 
Audit log file: [ipsun 
Intruder tog file: [gente 
Statistics log file: peral 
View Log Files 
Log filo: [Statistics Log 2] EM 


Save | Gancel | __ Refresh | 
For more information on the parameters, refer to the online help. 


10 Click Save to save your settings, click Refresh to display the changes, or click Cancel to retain 
the previous settings. 
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Managing and Administering 
NetWare FTP Server 


This section discusses the following topics: 


¢ Section 3.1, “Starting NetWare FTP Server,” on page 25 
¢ Section 3.2, “Using the NetWare FTP Server from an FTP Client,” on page 27 
+ Section 3.3, “Administering,” on page 33 


¢ Section 3.4, “Security Guidelines,” on page 43 


3.1 Starting NetWare FTP Server 


Load the NetWare® FTP Server software from the NetWare server by using the nwftpd command. 


When you start the software, the NetWare FTP Server uses the IP address of the host 
(HOST IP ADDR) and the port number (FTP PORT), as defined in sys: /etc/ftpserv.cfg, the 
default configuration file, to bind to and listen for FTP client connection requests. 


If these parameters are not defined in the configuration file, the NetWare FTP Server binds to all 
configured network interfaces and the standard FTP ports (port number 21). 


To start the NetWare FTP Server software with a different configuration file (for example, 
myconfig.cfg), enter the following at the command line: 


nwftpd -c [volname: [/dirname/...]]myconfig.cfg 


Default directory = sys: /etc. Default volume= sys: 





NOTE: FTP Server aborts if the configuration file specified with -c option does not exist. 





¢ Section 3.1.1, “Dynamic Configuration Updates,” on page 25 


+ Section 3.1.2, “Creating an Anonymous User,” on page 26 


3.1.1 Dynamic Configuration Updates 


The nwftpd command supports dynamic configuration updates by default. This means that the 
changes made to the configuration file with which the server has loaded take effect dynamically. The 
administrator does not need to unload and reload the server for the changes to take effect. 


However, it takes some time for the parameter values that were dynamically changed to take effect. 


Disabling Dynamic Configuration Updates 
To disable the dynamic configuration updates, use the following format: 


nwftpd [-c [volname: [/dirname/...]]myconfig.cfg] -d 
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3.1.2 Creating an Anonymous User 


NetWare FTP Server software supports an anonymous user account. This account provides users 
access to public files. You can enable or disable access to the anonymous user account by setting the 
ANONYMOUS_ACCESS parameter in the configuration file. By default, the parameter is set to 
No. Specify the path of the Anonymous user’s home directory in the ANONYMOUS HOME 
directory parameter of the configuration file. If the ANONYMOUS HOME path does not exist, 
anonymous login fails and anonymous user cannot be placed in sys: public. 


For more details, see Table 2-2 on page 18. 
To create an anonymous user, use the following format: 


nwftpd -a [-c [volname: [/dirname/...]]myconfig.cfg] 


Using the -a Option 
When you use the -a option, NetWare FTP Server does the following: 
1. Creates the anonymous user, creates the home directory (if it is not available), and assigns the 
rights to the directory. 


2. On-screen prompts are displayed to enter the administrator name and password. The 
anonymous user is created in the eDirectory™ tree at the default context. 


3. The -a option modifies the configuration file for anonymous user access. 


However, it does not start the NetWare FTP Server. To start the NetWare FTP Server after this 
change, reload nwftpd. 


4. The configured anonymous home directory displays on the screen with an option to modify it. 


5. Ifthe administrator does not specify a home directory, then the default directory is used. The 
anonymous user has only Read and File Scan rights to the default directory. If the administrator 
specifies the anonymous home directory, then the directory is created and the Anonymous user 
will get Read, File Scan, Create, Delete, and Modify rights to that directory. 


6. The server takes the anonymous user home directory from the configuration file and displays it 
on the screen with the option to modify the directory. 


Rights 


When you manually create the anonymous user through a method other than nwftpd -a, ensure that 
the anonymous user has adequate rights to the anonymous home directory configured in the FTP 
Server. If adequate rights are not given, the file operations for the anonymous user might fail. 


Password 


The FTP Server assigns a blank password to the anonymous user. When the anonymous user 
attempts to log in, even though the FTP server gets an e-mail account as a password, the anonymous 
user is logged on using a blank password. 


The anonymous user login succeeds in the following conditions: 


+ When you create the anonymous user by using nwftpd -a. 


+ When you manually create the anonymous user and assign a password, but leave it blank. 
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The anonymous user login fails when you manually create the anonymous user, and when doing so, 
either assign a password that is not blank, or do not assign a password. This is because the FTP 
Server expects a blank password for the anonymous user. 


3.2 Using the NetWare FTP Server from an FTP 
Client 


This section discusses the following: 


+ Section 3.2.1, “Starting an FTP Session,” on page 27 

¢ Section 3.2.2, “Security Extensions,” on page 29 

+ Section 3.2.3, “Accessing a Remote Server,” on page 30 
+ Section 3.2.4, “Path Formats,” on page 31 

e Section 3.2.5, “SITE Commands,” on page 31 


¢ Section 3.2.6, “Name Space and Filenames,” on page 32 


3.2.1 Starting an FTP Session 


e “Logging In to the eDirectory Tree” on page 28 
+ “User Home Directory” on page 28 
e “Logging In to a Server Running an IBM Operating System” on page 29 


To start an FTP session from a workstation running the FTP client software, use the following 
format: 


ftp hostname | IP Address [Port Number] 


Table 3-1 FTP session start parameters 


Parameter Description 


hostname | IP address Name of the server in the DNS or IP address of the 
NetWare server running the FTP service. 


Port number The port where the server is listening for connection 
requests. 


Use with the open command. 


When you enter this command, the FTP client prompts for a username and password. 
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Logging In to the eDirectory Tree 
You can log in to the NetWare FTP Server in one of the following ways: 
+ Specify the username with full context, including a leading dot (.). 
For example: 
.userl.sales.company. 
If you do not specify the context, the NetWare FTP Server searches for the user only in the 


current session context. 


+ Specify the context relative to the default context (which is the context of the NetWare server 
where FTP is running). 


Relative contexts do not include leading dots. 


For example, if the default context of NetWare FTP Server is .company, then the userl located 
in the .sales.company container can log in using the following format: 


userl.sales 
+ When logging in for the first time only with a username without specifying the context, the 
NetWare FTP Server searches for the user in the following sequence: 
1. Default FTP context. 
2. The first bindery context of the server, if it is set. 
a. The context of the NetWare Server object, if the bindery context is not set. 
b. The contexts listed in the SEARCH_LIST parameter of the configuration file 
ftpserv.cfg, in the order listed. 


When a user login is successful, the NetWare FTP Server context gets set to the user’s context. 
Therefore, when a user is logged in to an FTP session and decides to authenticate as another user 
(without specifying a context) with the command USER username, this new username is searched for 
under the context of the user who previously logged in successfully. If the user is not found here, the 
user is searched in the order of contexts listed in the SEARCH_LIST parameter of ftpserv.cfg. 





If a user with an expired password attempts to log in to the NetWare FTP Server, a message stating 
that the password has expired displays after the user logs in. Logging in with an expired password 
uses the grace logins. If all the grace logins of the user expire, the user cannot log in and receives an 
error message. 


User Home Directory 


After the user logs in, the NetWare FTP Server places the user in the user's eDirectory home 
directory (if it is defined) and attaches the user to the server where the home directory resides. 


If the home directory is not defined or cannot be located, the NetWare FTP Server places the user in 
the default user home directory specified in the configuration file. 


To specify the name of the server where the default user home directory is located, use the 
DEFAULT USER HOME SERVER parameter. If the parameter is not specified, by default the 
NetWare FTP Server considers the default user home directory to be on the server where the 
NetWare FTP Server is ruming. 
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A user is placed in the default user home directory under the following conditions: 


e IMIGNORE HOME DIR = Yes. 

+ IfI[GNORE REMOTE HOME = Yes, and the user's home directory is on a remote server. 

¢ Ifthe remote server on which the home directory exists is down. 
The user without a home directory is placed in the Default Home Server\Default User Home 
directory. If this fails (either because the home server is down or the home directory is not present on 
the home server), then the user is placed in Local_server\Default User Home. If that fails too, 


(because Default_User_Home is not present in the local server also), then the user is placed in 
Local_server\Sys:\public. 


Logging In to a Server Running an IBM Operating System 


To log in to a remote Server running an IBM* operating system, the user must have a user account 
on that server. 


To log in to the IBM server from FTP client, start an FTP session using FTPHost. Give the username 
in the following format: 


@IBMservername. username 





To log in to an IBM server from a browser, use the following format: 





ftp //+IBMservertusername: password@FTPHost 

To log in as an anonymous user, the user name and password can be omitted: 

ftp //+IBMservername@FtpHost 

After logging in to an IBM server, the user is placed in the home directory of that IBM server. 


While logging in to an IBM server, the user is not authenticated to the eDirectory tree. This means, 
navigation between IBM servers and eDirectory servers is not possible. 


3.2.2 Security Extensions 


Security extensions enable secure FTP clients that support the SSL and TLS mechanisms to 
establish secure connections with the server. 


SSL and TLS are similar to the encryption system used by HTTPS Web pages. SSL and TLS 
provides a secure method for sending sensitive information across connections. The control and data 
connections are fully encrypted so no one can view the FTP commands, username, password, and 
data transferred as is possible with all non-encrypted FTP sessions. 


After successful negotiation of the SSL/TLS mechanism, all the commands and replies are 
encrypted. 


Netware FTP server supports the following mechanisms and commands related to security 
extensions: 


¢ SSL encryption mechanism 
¢ TLS encryption mechanism 


+ Command channel encryption and data channel encryption. 
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¢ The following security extension commands: 
€ AUTH Mechanism Name 
e PBSZ Protection Buffer Size 


+ PROT Protection Level 


FTP Clients 
If you are using security extensions, use FTP clients that support SSL/TLS mechanism. 
The following list gives a representative list of such FTP Clients: 


SmartFTP V1.0 This is a secure GUI FTP client. You can download it from the SmartFTP Web site 
(http://www.smartftp.com). 


ftps This is a command line FTP client from FreeBSD* that can be installed in Windows* and 
UNIX* machines. You can download bsdftpd-ss1-1.1.0.tar.gz file from the FreeBSD Web 
site (ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles). 


Secure FTP 2 This is a command line Secure FTP client. You can download it from the Glub Tech 
Inc. Web site (http://www.glub.com/products/secureftp/download.shtml). 


3.2.3 Accessing a Remote Server 


After logging in to the eDirectory™ tree, users can access files and directories on a remote NetWare 
server whether or not the server is running NetWare FTP Server software. The remote server can be 
another NetWare server or an IBM server, if they are in the same tree. 


The NCP™ protocol lets you transfer files and navigate to and from remote eDirectory servers. 


Figure 3-1 How a NetWare FTP Server Accesses Remote NetWare Servers 


Workstation running 
FTP client software 


A user uses FTP to connect to 
the local NetWare FTP Server. 


Remote NetWare server 
FTP (running NetWare 4.1 or later) 
without the FTP service 











The user can now 
access files on the 
remote NetWare 
server. 







the command line. 


To navigate to remote servers, use the following format: 





cd //remote server name/volume/directory pathname 


File operations such as get, put, and delete can be used on the remote server, even without changing 
directory path to that server. For example: 


get //remote server name/volume/directory path/filename 





The double slash (//) indicates that the user wants to access a remote server. After the double slash, 
the first entry must be the name of the remote server. 
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During remote server navigation, to check the server to which you are doing FTP operations, 
execute the quote stat command. This displays the current server in the statistics listing. 





NOTE: Quote command is not case sensitive, if entered from the FTP client. 





If the current directory is on a remote server and the remote server goes down, the user is placed in 
the home directory in the home server. If the home server is not available, the user is placed in the 
default user home directory. 


3.2.4 Path Formats 
Table 3-2 NetWare FTP Server path formats 


Task Command Format 


Specifying the volume and directory path name //server name/volume name/directorv path 





Navigating to different volumes cd /volume_name 
Switching back to the home directory GA 

Switching to home directorv of anv user cd vuser name 
Switching to the root of the server cd / 





IMPORTANT: NetWare FTP Server does not support wildcards at the root of the server. 





3.2.5 SITE Commands 


The SITE command enables FTP clients to access features specific to the NetWare FTP Server. 





NOTE: SITE command is not case sensitive, if entered from an FTP client. 





The SITE command has the following syntax: 








SITE [SLIST | SERVER | HELP | CX {CONTEXT} | LONG | DOS | OU] 























NOTE: The settings done through SITE commands are valid only for current session. 





These commands are unique to the NetWare FTP service and are not standard FTP commands. 


The following table provides the list of SITE commands along with their descriptions: 


Table 3-3 NetWare FTP SITE commands 


Command Description 


SLIST Lists all the NetWare servers within the eDirectory tree. 
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Command Description 

















SERVER Lists all NetWare servers in the current eDirectory context and its sub- 
OUs. 
For example, SITE SERVER displays all NetWare servers in the current 
context. 

HELP Displays the help file related to the SITE commands. It gives the syntax, 
and description of all SITE commands. 

CX CX without a context displays the current context of the NetWare FTP 
Server 


CX with a context as an argument sets the current eDirectory context to a 
given value. For example: 


To change to an OU named "test" within the current context, use cx 
ou=test (which specifies a relative context). 


cx .ou=test.o=acme sets the context to the OU test using the absolute 
context 


CX with the argument ~ resets the context back to user's context 
OU Displays all the organizational units relative to the current context 


OU enables users to display the eDirectory organizations (containers) 
below the current eDirectory context. 


LONG Changes the configured name space to the LONG name space. 
DOS Changes to the configured name space to the DOS name space. 


DOS changes the configured name space to the DOS name space. This 
change takes place only for the current session. All NetWare volumes 
support the DOS name space. 


3.2.6 Name Space and Filenames 


NetWare FTP Server software supports DOS and LONG name space. The default name space is 
configured in the configuration file. FTP users can also change it dynamically by using the SITE 
DOS command or the SITE LONG command. 











NOTE: The name space changed by using SITE command is in effect only in the current session. 





The default configured name space is LONG. 


When the user changes the name space, the change affects only those volumes that support the 
specified name space. If the LONG name space is not supported on a specific volume, users must 
follow the DOS file naming conventions of using no more than eight characters for the name plus no 
more than three additional characters for the extension. 


In both name spaces, the user views the response to the 1s or Dir command in the NetWare format 
only. Format of the directory listing is as follows: 





type rights owner size time name 
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where the above variables stand for the following: 


+ Type: Type of file, where (-) indicates a file and (d) indicates a directory. 
¢ Rights: The file owner’s effective NetWare rights of this file or directory. 


+ Owner: NetWare user who created this file or directory. If the object mapping and the owner’s 
name are not found, the object ID is displayed. 


+ Size: The size, in bytes, of the file or directory. For a directory, it is always 512. 
¢ Time: The modification date and time of the file or directory. 


+ Name: The name of the file or directory in the current name space. 


3.3 Administering 


This section discusses various ways to administer the NetWare FTP Server: 


¢ Section 3.3.1, “Supporting Extended Characters in a User Password,” on page 33 
¢ Section 3.3.2, “Initializing Multiple Instances,” on page 33 

¢ Section 3.3.3, “Unloading Specific Instances,” on page 34 

¢ Section 3.3.4, “Managing Intruder Detection,” on page 34 

+ Section 3.3.5, “Specifying Access Restrictions,” on page 35 

¢ Section 3.3.6, “Monitoring FTP Log Files,” on page 38 

¢ Section 3.3.7, “Viewing Active Sessions,” on page 39 

+ Section 3.3.8, “Setting Modification Time,” on page 41 

¢ Section 3.3.9, “Subtree Search Support,” on page 42 


3.3.1 Supporting Extended Characters in a User Password 


Users are unable to log in if a password containing extended characters is set from a Windows 
workstation, such as from iManager. This is because of code page differences between the server 
and the client. 


To ensure that the user login is successful, you need to set a password with extended characters from 
the server console. 


3.3.2 Initializing Multiple Instances 


Multiple instances of the NetWare FTP Server can run on a single machine with different IP 
addresses, or port numbers. 


You can initialize multiple instances of the NetWare FTP Server, if each instance of the NetWare 
FTP Server has a unique IP address and port number combination. Each NetWare FTP Server 
instance can have its own configuration file and access restrictions file. 


The NetWare FTP Server uses the IP address of the host (HOST IP ADDR) and the port number 
(FTP_PORT) as defined in the configuration file to bind to and listen for FTP client connection 
requests. You can specify the configuration file while starting the NetWare FTP Server. If these 
parameters are not defined in the configuration file, the NetWare FTP Server listens to the standard 
FTP port number on all of the NetWare Server’s IP addresses. 
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If multiple instances of NetWare FTP Server (NWFTPD) are running and if you need to set the 
FORCE PASSIVE ADDR parameter (non-default), then any instance where this is set must have a 
unique value. 


If one instance of NetWare FTP Server is listening on multiple addresses and the configured passive 
address is not reachable from clients on some networks, then the administrator can configure 
separate instances of FTP for each network address. Each instance can then have its own 

FORCE PASSIVE ADDR setting. 


For more details, see Table 2-1 on page 13. 


3.3.3 Unloading Specific Instances 


You can unload specific instances of NetWare FTP Server that correspond to the specified 
configuration file by using the following syntax: 


nwftpd -u [volname: [/dirname/...]] myconfig.cfg 


Default directory = sys: /etc. Default volume = sys: 


3.3.4 Managing Intruder Detection 


You can enable either host detection or user intruder detection at a time, but not both at the same 
time. 


For example, INTRUDER HOST ATTEMPTS can be disabled (set to 0) while 
INTRUDER_USER_ATTEMPTS is enabled (set to 1 or higher). 


If a successful login takes place before the maximum specified number of unsuccessful login 
attempts, the login failures count is reset to 0. 


If the invalid login attempts of the users and hosts are fewer than maximum attempts allowed, and 
they are not detected as an intruder, they are removed from the corresponding list after refresh time 
of 72 hours. 


The intruder host list and the intruder user list are refreshed every 72 hours. 


¢ “Host Intruder Detection” on page 34 
+ “What Happens When the Host Is Identified As an Intruder” on page 34 
e “User Intruder Detection” on page 35 
+ “What Happens When the User Is Identified As an Intruder” on page 35 


Host Intruder Detection 


A host or a client machine is considered an intruder when the number of consecutive login failures 
for any user from that host is more than the configured limit set by the 
INTRUDER_HOST_ATTEMPTS parameter. 


What Happens When the Host Is Identified As an Intruder 


+ The Server closes the session. 


+ The host machine's access to the NetWare FTP Server is denied the time interval specified by 
the HOST_RESET_TIME parameter in the configuration file. 
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User Intruder Detection 


A user is considered an intruder when the number of unsuccessful login attempts is more than those 
specified by the INTRUDER USER ATTEMPTS parameter in the configuration file. 


All failed attempts from a user from different hosts are considered for intruder detection as the same 
user. When the accumulated attempts for the same user from different hosts exceed the maximum 
number of allowed attempts, then that user is detected as intruder. 


What Happens When the User Is Identified As an Intruder 
+ The user account is locked out for an interval of time specified by the USER RESET TIME 
parameter in the configuration file. 


¢ The user cannot log in from a different host until the reset time is over. 


3.3.5 Specifying Access Restrictions 


The FTP service lets you specify access restrictions for a user, a client host, and the IP address of a 
client host. The access restrictions are specified in the RESTRICT FILE restrictions file, which can 
be configured. You can specify the access restrictions at various levels, and multiple access rights 
are allowed. 




















By default, changes to the RESTRICT FILE take effect dynamically. But when the objects restricted 
in ftprest.txt file are renamed in eDirectory, these objects should be synchronized manually in 
the ftprest.txt restriction file. 


e “Restriction Levels” on page 35 
e “Access Rights” on page 36 
+ “Keywords” on page 37 


+ “Restriction File” on page 37 


Restriction Levels 


The following table describes the supported levels of access restrictions. 
Table 3-4 NetWare FTP Access Restrictions and Support Levels 


Restriction Level Description 


Container Restriction can be specified for any eDirectory container. This 
controls all the users in that container and its sub-OUs. 


* container name 


The asterisk (*) indicates the container level restriction. The 
container should be a fully distinguished name. 


To apply restrictions if the container names have aliases, add 
the alias of the container names in the restrictions file. 
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Restriction Level Description 
User Restriction can be specified for a particular user. 
.user name 


The period (.) indicates user level restriction. The username 
should be a fully distinguished name. 


To apply restrictions if the user names have aliases, add the 
alias of the user names in the restrictions file. 


Domain Restriction can be specified at the domain level. This controls all 
the hosts in that domain and its subdomains. The following is the 
RESTRICT file format: 


DOMAIN= domain name 
The DOMAIN= key word indicates the domain level restriction. 


The domain restrictions do not work if the NetWare server is not 
configured to query a valid DNS server, or if the restricted 
domain's DNS database does not contain a pointer record 
(address to name resolution) for the FTP client address. 


Address Range Restriction can be specified based on the IP address or range. 


Restricts any node that has the IP address within the specified 
IP address range. The range is specified by two IP addresses 
separated by a space. The range = 0.0.0.0 to 255.255.255.254. 
The value 255.255.255.255 is invalid since 255.255.255.255 is a 
broadcast address and not supported for ADDRESS_RANGE. 


Host Restriction can be specified for a particular host machine. 
ADDRESS= host name/IP address 


The ADDRESS= key word indicates the host level restriction. 
The host name or IP address of the host can be specified. 


The DNS configuration should be appropriate for address and 
domain name restrictions. 


Access Rights 


The following table describes the permitted access rights. 


Table 3-5 NetWare FTP Access Rights list 


Access Right Description 
DENY Denies access to the NetWare FTP Server for that client. 
READONLY Gives read-only access to the client. 
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Access Right 


NOREMOTE 


GUEST 


ALLOW 


Keywords 


Description 


During login, the NetWare FTP Server determines the user’s home 
server and home directory. The user is unable to navigate outside the 
home server. 





NOTE: The home server can be different from the server where 
NetWare FTP Server is running. 


During login, the NetWare FTP Server determines the user’s home 
server and home directory. The user is unable to navigate outside of 
the home directory. 





NOTE: The home server can be different from the NetWare FTP 
Server. 





Gives normal FTP access without restriction. 


The following table describes the possible keywords. 


Table 3-6 NetWare FTP Access Restriction Keywords 


Keyword 


ADDRESS= 


DOMAIN= 


ADDRESS_RANGE= 


ACCESS= 


Restriction File 


Description 


Restricts a particular node. The IP address or machine name can be 
used. 


Restricts a particular domain. 
The asterisk (*) should be used for container-level restrictions. 


Restricts a range of nodes based on the IP address. It applies the 
restriction to any node that has the IP address within the specified IP 
address range. 


Mandatory for each line. It should be followed by access rights. 


The format and organization of the RESTRICT_FILE restriction file is as follows: 


+ Each line should have one entity name and corresponding access rights. 


¢ The rights of the entities are assigned according to the order of the restriction file. If different 
rights apply to the same entity, the latest entities that appear in the restriction file are used. 


+ All rights specified in the same line are applied to that entity. 


¢ Ifthe restriction file does not exist or is empty, the ALLOW access is given to all users. Users 
have no restrictions other than those imposed by their own effective trustee rights to the file 


system. 


Example 1 


* novell 


ACCESS=ALLOW 
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x testou.novell ACCESS=DENY 














.userl.testou.novell ACCESS=READONLY 





Userl at testou is granted read-only rights. The other users at testou.novell are denied the right to log 
in. However, all other OUs at .novell are allowed. 








Example 2 
x testou.novell ACCESS=DENY 
* novell ACCESS=ALLOW 











All OUs at .novell are allowed because both rights apply to testou and the second one would be 
used. 


Example 3 











ADDRESS=Clientmachinel.testou.novell.com ACCESS=NOREMOTE 























.userl.novell ACCESS=READONLY 








Userl logging from clientmachinel will have read-only rights and no remote access. 


For more details, see Table 2-2 on page 18 


3.3.6 Monitoring FTP Log Files 


The NetWare FTP Server has four log files for recording different activity information. All the log 
files are created in the FTP LOG DIR directory specified in the configuration file. 


The LOG_LEVEL parameter defined in the configuration file controls the number and type of 
information logged. 


All the log files now support comma-delimited format for log messages. 
Specifying Log Levels 


The log levels indicate bits for which you can give any combination. 


+ | =ERROR 
+ 2= WARNING 
+ 4=INFO 


Table 3-7 NetWare FTP Server Log Levels 


Log Level Combination Logged 

LOG_LEVEL = 3 Error messages and warning messages. 
LOG_LEVEL = 4 Error messages and warning messages. 
LOG_LEVEL = 7 (Default) All messages are logged 
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The MAX LOG SIZE parameter specifies the maximum size of the log files (in KB), up to which 
messages can be logged. After exceeding this limit, the existing contents of log files are copied to 
the corresponding backup (* .bak) files. 

Statistics Log File 


The statistics log file contains details of all active sessions in the log file. The default path is sys: / 
etc/ftpstat.log. 


The statistics log file maintains the following three record types. Every record type is separated by a 
comma. 


+ TRANSFER: Contains information related to the data transfer. 
+ USER: Contains information related to users logged in or logged out. 


+ FAILURE: Contains information about the number of failures during data transfer. 


Intruder Log File 


The intruder log file contains information about unsuccessful login attempts. The default path is 
sys:/etc/ftpintr.log. 


The following information is recorded in the file: 


+ Address of the machine where the login originated 
+ Time of the attempted access 


+ Login name of the user 


The general intruder log format is: 











ErrorLevel, Date Time, Client IPaddress, UserName, messag 


System Log File 


The system log file contains all the internal system-related information encountered by the NetWare 
FTP Server. 


The general system log file format is: 








Error, Thread ID, Date Time, Messag 


For more details, see Table 2-4 on page 20. 


3.3.7 Viewing Active Sessions 


To load the Active Sessions display utility, click the Monitor Active Session link in ¡Manager. 
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Figure 3-2 Active Session Display 


tp Server Instance - Microsoft Internet Explorer 


FTP Instance 


Total No. of FTP Instances: 1 


IP- . ; — 
Tnst Address Port # Sessions Peak Bandwidth KBPS) Configuration File 


1 0000 21 0 0.000 sys:\etc\fitpserv. cfg 





Figure 3-3 Session-based Details 
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FTP Configuration Parameters 
FTP Instance 1 Configuration File : sys:\etc\ftpserv.cfg 


Parameter Value 

FTP Server IP Address 0.0.0.0 

FTP Server Passive IP Address Not Specified 
FTP Server Port No. 21 

Maximum Concurrent FTP Sessions 30 

Maximum Idle Session Duration (in seconds) 600 

Allow only Secure Connections NO 

Default Name Space LONG 

Data Buffer Size (m KB) 64 

KeepAbve Timeout for broken connections (in minutes) 10 

Welcome Banner File Path sysJerchwelcome. txt 
Message File Name message. txt 
Minimum Port No. For Passive Connection 1 

Maximum Port No. For Passive Connection 65534 
UNIX-type Behavior Flag 0 

UNIX-tvpe File Permissions 644 
UNIX-type Directory Permissions 755 

Server For Default User Home NPSDT-VAL-1 
Default Home Directory For Users sysJpublic 
Ignore User's Remote Home Directory NO 

Ignore User's Home Directory NO 

Default FTP Context Not Specified 
Search List Not Specified 
Catalog Object Name fipcat 


Restrictions File Path systetc/ftprest txt sl 
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You can view session-based details such as bytes sent, bytes received, session duration, files sent, 
files received, and current Novell® eDirectory 8.7.3 context. These details are not tied to individual 
user logins. 


These statistics-related pages time out after every 20 minutes. Users can reload by clicking the 
Monitor Active Session link again. 


3.3.8 Setting Modification Time 


NetWare FTP Server now supports extended functionality for the mdtm modification time 
command. This command, now allows you to set the last modified date and time for both files and 
directories. 


Previously, the mdtm command functionality was limited to retrieving the last modified date and 
time of a file only. 


The command syntax is as follows: 
mdtm [timestamp] pathname 


+ The format for the optional timestamp is Y Y Y YMMDDHHMMSS. 
+ The timestamp is required only when setting the modified date and time of the target. 
+ FTP Server considers the timestamps set or retrieved to be in server local time. 


¢ The pathname can be any existing file or directory on the server. You can use relative and 
absolute paths. 


+ FTP Server supports and accepts pathnames that either begin with spaces or include spaces. 


However, use the spaces in file and directory names with caution because the handling of 
spaces in these names varies with each FTP client. Certain FTP clients do not handle spaces 
well when they parse the user’s command prior to sending it to the server, and some clients 
might handle this better if the pathname is enclosed in double quotes. 


For example, 


" pathname" 


FTP Client Response 


If the FTP client does not recognize the mdtm command, then the client software might reject the 
command that the user enters and might not forward it to the server. 


To ensure that the client forwards the mdtm command to the server, enter a customized quote 
command in the following format: 


quote MDTM [timestamp] pathname 


Most FTP clients view the quote command as a signal that they should send the rest of the line to 
the FTP Server even if the client software does not recognize it. 


However, some clients might change spaces and quotation marks within the quote command, so 
successful execution on paths or names containing spaces might not be possible from some FTP 
clients. 
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3.3.9 Subtree Search Support 


FTP Server now supports subtree searching while looking for user objects under specified contexts. 


To enable subtree search, add the delimiter :s to the end of the context in the SEARCH LIST 
parameter in ftpserv.cfg file. The FTP server then searches the context and all sub containers. If 
:s is not added to a context, the search is done only within the specified context. 


The contexts in the list should be specified in the preferred search order. 


For example: 





SEARCH LIST-.accounting.boston.novell:s, .development.boston.novell:s,.boston. 
novell 


Here the search begins for user objects in .accounting.boston.novell and in the subtree below. If the 
user is not found under this subtree, the search continues under .development.boston.novell and in 
the subtree. If the user is not found, .boston.novell is searched again, without searching any further 
sub containers. 


The subtree search is performed by ndsilib.nim. This module accesses the tree through the 
nfauuser user object. This user is normally created during the NetWare 6.5 install, for use by Native 
File Access for UNIX (NFS), but can also be created by loading schinst -n atthe server console. 


The load sequence in the autoexec.ncf file should be changed to load ftpstart.ncf first. 
Alternatively, ifnfsstart.ncf is remarked out because NFS is not being used, load ndsilib.nim 
before ftpstart.ncf. 


For more information on this utility please refer to online documentation on Native File Access for 
UNIX (http://www.novell.com/documentation/oes/native/index.html?page=/documentation/oes/ 
native/data/h9izvdye.html#h9izvdye). 


Any duplicate contexts in the SEARCH_LIST will be eliminated and the modified list is noted in the 
ftpd.log file. 


Context duplication is checked according to the order specified in SEARCH_LIST. That is, ifa 
parent context has subtree search enabled, all the subsequent child contexts specified in the 
SEARCH LIST is eliminated irrespective of whether they are specified for subtree search or one- 
level search. 


For example: 





SEARCH_LIST=.boston.novell:s,.accounting.boston.novell:s,.development.boston. 
novell 


In the above case both the contexts, .accounting.boston.novell and development.boston.novell could 
be eliminated from the list because .boston.novell is the parent and is specified for subtree search. 


However, a parent context that is specified after a child context is not eliminated. This allows 
searches to resolve more quickly by specifying smaller areas with frequently used user populations 
before a larger subtree search is done. 


For example: 
SEARCH_LIST=.development.boston.novell:s,.accounting.boston.novell,.boston.no 





vell:s 
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In this case, none of the contexts is eliminated. The development subtree is searched, then if no 
match is found, the accounting container is searched. If a match is not found, an entire subtree 
search of boston.novell is done. 


If a problem prevents the use of ndsilib for subtree searching, the FTP server treats each context in 
the SEARCH LIST as a plain, single-level search context. 





NOTE: The current SEARCH LIST in use is always be noted in the ftpd.1log file. In 
troubleshooting, it might be useful to compare the intended SEARCH LIST in ftpserv.cfg with 
the effective result in ftpd. log. 





When the process of locating a user object depends upon a subtree search, the user should submit 
only the username upon login. Submitting a relative or partial context with the username is not 
successful in a subtree search. Submitting a full context, beginning with a leading dot (.) is 
recommended because this does not rely on a subtree search. 


For example: 
.userl.boston.novell 


If a context name contains the delimiter itself (:s), it should be separated with a backslash, 
irrespective of whether it is specified for subtree search or for context-level search. 


For example: 


SEARCH LIST=.north\:south 





where the eDirectory container object name is .north:south. 


When a user is found, the FTP session's context is set to the context where the user was found. 


3.4 Security Guidelines 


The following security guidelines and best practices are essential to ensure a secure environment for 
FTP Server. 


¢ Section 3.4.1, “Security Configuration,” on page 43 


¢ Section 3.4.2, “Security Best Practices,” on page 45 


3.4.1 Security Configuration 


Configure the following parameters in the ftpserv.cfg file to protect the FTP environment. 
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Table 3-8 FTP Parameters and Their Recommended Values 


FTP Parameters Recommended Reason for f Default Value 
Value Recommendation 


SECURE CONNECTIONS ONLV YES If this parameter is setto NO 
YES, only secure 
connections from FTP 
clients are supported. 
This means that you can 
only use FTP clients that 
support secure 
connections with this 
setting. The advantage of 
using this is that control 
channel information such 
as usernames and 
passwords are encrypted 
and protected from 
spoofing and sniffing. 
Optionally, the data 
channel also can be 
encrypted, if the client 
chooses to do so. Refer 
to Section 3.2.2, “Security 
Extensions,” on page 29 
for details on security 
mechanisms supported 
by NetWare FTP Server. 


INTRUDER_HOST_ATTEMPTS 20 If this value is set to 0, 20 
host intruder detection is 
disabled, which is not 
advisable. 


INTRUDER_USER_ATTEMPTS 5 If this value is set to 0, 5 
user intruder detection is 
disabled, which is not 
advisable. 


MAX_FTP_SESSIONS 30 Setting this to a lower 30 
value limits the 
concurrent FTP 
connections allowed to 
the server. This is useful 
if a denial of service 
attack is mounted; the 
scope for exploitation is 
limited. 


IDLE_SESSION_TIMEOUT 180 It is recommended to 600 
specify a small value 
because if the system 
remains idle for a long 
time, it could result in 
malicious attacks. 
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Recommended Reason for 


Value Recommendation Default Value 


FTP Parameters 


ANONYMOUS_ACCESS NO To avoid a denial of NO 
service attack, if 
MAX_FTP_SESSIONS 
runs out of space 
because the maximum 
number of anonymous 
sessions has been 
exceeded. 


It is also recommended that you set restrictions for hosts, containers, users, domains, IP addresses 
and IP address ranges, in the ftprest.txt file. By default, no restrictions are set. 


3.4.2 Security Best Practices 


The following best practices can help create a more secure FTP setup: 
¢ Itis a good practice to check the following log files on a regular basis: 


ftpaudit.log 
ftpstat.log 
ftpintruder.log 
ftpd.log 


These files contain details about user activities, statistics, intruders, and other information and 
error messages. 

+ You should restrict FTP Server access to users by making relevant configuration changes in the 
ftprest.txt file. To restrict access to remote server navigation for a user, set ACCESS 
=NOREMOTE. 




















NOTE: While using ¡Manager to administer FTP Server, the FTP administrator has access and 
rights to the configuration and statistics of all the FTP servers in the tree 
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Cluster-Enabling NetWare FTP 
Server 


You can configure NetWare® FTP Server in either active/active or in active/passive modes of 
Novell® Cluster Services™. 


To optimally utilize the services of cluster-enabled NetWare FTP Server, we recommend using FTP 
clients with the Reconnect option. 


With iManager, you can use the object selector to select any server in the eDirectory tree, and 
administer the FTP Server on that server. 


¢ Section 4.1, “Prerequisites,” on page 47 
+ Section 4.2, “Cluster-Enabling for the First Time,” on page 48 
+ Section 4.3, “Upgrading Cluster-Enabled FTP Server,” on page 50 


4.1 Prerequisites 


U NetWare FTP Server is installed on every server in the cluster 





U Novell Cluster Services is installed and set up 


For step-by-step information on setting up Novell Cluster Services, refer to Installation and 
Setup (http://www.novell.com/documentation/oes/cluster_admin/data/hc8jxt45.html*hc8jxt45) 
in the OES Novell Cluster Services 1.8 Administration Guide for NetWare. 
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Figure 4-1 Cluster Objects 
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4.2 Cluster-Enabling for the First Time 


You can culster-enable the FTP server in one of the following modes: 


¢ Section 4.2.1, “Active/Passive Mode,” on page 48 
¢ Section 4.2.2, “Active/Active Mode,” on page 49 


4.2.1 Active/Passive Mode 


In the active/passive cluster mode, NetWare FTP Server runs on only one node in the cluster at a 
time. For example, if the node where FTP Server is installed fails, NetWare FTP Server starts on 
other specified nodes in the cluster and the FTP sites on the failed server fail over to other nodes in 
the cluster. 


Cluster-enabling in this mode has the following advantages: 


+ A common user restriction can be maintained across the cluster setup because only a single 
configuration and restriction file exists in the cluster. The restriction for any eDirectory 8.7.3 
user on a particular FTP Server continues even when the FTP service fails over to another node 
in the cluster. 


+ The FTP system log files for the cluster can be saved at a common location. 
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+ A User home directory can be saved in the shared volume path. 


+ FTP Server status can be monitored by using the ftpstat command. This command lets you 
view session-based details such as bytes sent, bytes received, session duration, files sent, files 
received, and current Novell eDirectory context. 


To configure an active/passive mode: 


Stop FTP Services by executing unload nwftpd on every node in the cluster. 


2 Edit autoexec.ncf and comment/remove the ftpstart.ncf entry from every FTP Server 
in each of the nodes in the cluster. This lets FTP Server to be started by NetWare Cluster 
Services. 


3 Create an etc directory in the shared volume directory and copy FTP Server configuration file 
(ftpserv.cfg) and restrictions file (ftprest.txt) to shared vol name:/etc. 


4 Edit shared vol name:/etc/ftpserv.cfg and make the following changes: 


+ 


In the RESTRICT_FILE parameter, change the FTP user restrictions file path to 


shared_vol_name:/etc/ftprest.txt 


In the FTPD_LOG parameter, change the FTP daemon log file path to 


shared_vol_name:/etc. 


5 Bring the resource status to offline and then modify the load and unload scripts: 


5a 


5b 


5c 


Using ConsoleOne®, select and right-click the Cluster resource object, then click 
Properties > Scripts > Cluster Resource Load Script and Cluster Resource Unload Script. 


Add the following at the end of the existing load script: 
load nwftpd -c shared_vol_name:\etc\ftpserv.cfg 
load ftpstat 


The load script specifies the commands to start the resource or service on a server or to 
mount the volume on a server. 


Add the following at the beginning of the unload script: 
unload ftpstat 
unload nwftpd 


The unload script specifies how the application or resource should terminate. 


6 Bring the cluster resource online. 


FTP Server is now configured to work in the active/passive clustering mode. 


4.2.2 Active/Active Mode 


In active/active cluster mode, services of the NetWare FTP Server (nwftpd and ftpstat) run on all 
nodes in cluster. 


For example, when a server fails, the FTP sites on that server have transparent failover to other FTP 
servers in the cluster. Only FTP sites move. 


Cluster-enabling in this mode has the following advantages: 


¢ Faster recovery after a failure 


+ Effective load balancing 
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Prerequisites: 


U Ensure that every node in the cluster has the same configuration and restrictions file 





U Make sure to use the default load/unload scripts 

To configure an active/passive mode: 

1 Edit the autoexec.ncf file and uncomment the ftpstart.ncf entry in individual nodes/ 
servers of the cluster that will run NetWare FTP Server. 

2 Bring the resource status to offline and then modify the load/unload scripts. 


2a Using ConsoleOne®, select and right-click the Cluster resource object, then click 
Properties > Scripts > Cluster Resource Load Script and Cluster Resource Unload Script. 


2b Add the following at the end of the existing load script: 
nwftpd -c shared_vol_name:\etc\ftpserv.cfg 


The load script specifies the commands to start the resource or service on a server or to 
mount the volume on a server. 


2c For every FTP Server instance running, add the following at the beginning of the unload 
script: 


nwftpd -u shared vol_name:letclftpserv.cfg 
Unload script specifies how the application or resource should terminate. 
3 Bring the cluster resource online. 


FTP Server is now configured to work in the active/active clustering mode. 


4.3 Upgrading Cluster-Enabled FTP Server 


Use the following sections to know more about upgrading cluster-enabled FTP server: 


¢ Section 4.3.1, “Active/Passive Cluster Mode,” on page 50 
e. Section 4.3.2, “Active/Active Cluster Mode,” on page 51 


4.3.1 Active/Passive Cluster Mode 


1 After the upgrade from NetWare 6 Support Pack 3/NetWare 5.1 Support Pack 6 is complete, 
execute unload nwftpd to stop FTP services running on all the nodes that you are 
cluster-enabling. 


2 Edit autoexec.ncf and comment out or remove the nwftpd entry from every FTP server in 
each node in the cluster. 


This lets FTP Server be started by Novell Cluster Services. 
3 Bring the resource offline. 
4 Bring the resource status to offline and then modify the load and unload scripts: 


4a Using ConsoleOne?, select and right-click the Cluster resource object, then click 
Properties > Scripts > Cluster Resource Load Script and Cluster Resource Unload Script. 


4b Add the following at the end of the existing load script: 
load nwftpd -c shared vol name:Xetclftpserv.cfg 
load ftpstat 
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The load script specifies the commands to start the resource or service on a server or to 
mount the volume on a server. 


4c Add the following at the beginning of the unload script: 
unload ftpstat 
unload nwftpd 


The unload script specifies how the application or resource should terminate. 


4.3.2 Active/Active Cluster Mode 


Prerequisites: 


U Ensure that every node in the cluster has the same configuration and restrictions file 





U Make sure to use the default load/unload scripts 


1 After the upgrade from NetWare 6 Support Pack 3 / NetWare 5.1 Support Pack 6 is complete, 
execute unload nwftpd to stop FTP services running on all the nodes that you are cluster 
enabling. 


2 Edit autoexec.ncf, and if it is commented, uncomment the nwftpd entry from every FTP 
server in each node in the cluster. 


This lets FTP Server be started by Novell Cluster Services. 


3 Bring the resource offline. 
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Migrating FTP from NetWare to 
OES 2 Linux 


The OES 2 SP2 Migration Tool has a plug-in architecture and is made up of Linux command line 
utilities with a GUI wrapper. You can migrate CIFS from a NetWare server to an OES 2 SP2 Linux 
server either using the GUI Migration Tool or from the command line. 


To get started with migration, see OES 2 SP2: Migration Tool Administration Guide 


For more information on migrating NTPv3, see “Migrating FTP from NetWare to OES 2 Linux”. 
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NetWare FTP Server FAQ 


This section discusses questions that the users and system administrators might have while using 
NetWare® FTP Server. 


+ Section 6.1, “FTP Server FAQs,” on page 55 
e Section 6.2, “Using ¡Manager to Configure FTP Server,” on page 59 


+ Section 6.3, “Localization Issues,” on page 61 


6.1 FTP Server FAQs 


Where can | get more information on the FTP Server error messages displayed on 
the system console? 


Action: Refer to Appendix A, “NetWare FTP Server Messages,” on page 63 for 
information on FTP Server error messages. 
Why are some file size values displaying as -1? 


Explanation: For files that are greater than 2 GB in size, NetWare FTP server displays the 
file size value as -1. 


For files greater than 4 GB, NetWare FTP Server supports all FTP operations 
except size display and restart. 


Why am I unable to login to NetWare FTP Server even though I have entered valid 
user id and password? 


Explanation: Successful login to NetWare FTP Server requires that a read-write/master 
server in the eDirectory tree is up. 


Action: Make sure that the read-write/master server in the eDirectory tree is up. 


Why is the anonymous user unable to perform any write operation? How can this be 
resolved ? 


Explanation: The anonymous home directory could be in a NFS Gateway volume that might 
not have the write permissions for the Other category in a remote UNIX file 
system. 


Action: Ensure that the directory in the remote UNIX system corresponding to the 
anonymous home directory of the NFS Gateway volume has write permission 
for Other category. 


Why is the log file not created even though | have specified the name of the 
directory? 


Explanation: The log file is not get created if the filename ends with a backslash (1) or a 
forward slash ( / ) 
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Action: Make sure that log directory name does not end with a backslash (1) or a 
forward slash (/ ). 


Why am I unable to navigate to remote servers? 
Explanation: Remote Server navigation is not accessible through an IP address. 


Action: Make sure that you specify the NCPL address of the server and not the DNS 
name. 


Why am I not able to see directory listing in my FTP client even after connecting to 
the NetWare FTP server? 


Explanation: The FTP client that you are using might be one that expects UNIX-like file 
permissions. The NetWare FTP Server by default sends NetWare trustee rights 
along with the files, so this might be incomprehensible to your FTP client. 


Action: Set the PPEUDO_PERMISSIONS parameter to ON in the configuration file 
(Default = sys: \etc\ftpserv.cfg). Set the 
PSEUDO FILE PERMISSIONS and PSEUDO DIR PERMISSIONS 
parameters based on the kind of permissions vou want to displav for files and 
directories in the FTP client. 


After connecting to Netware FTP Server, certain GUI FTP Clients such as Crvstal FTP 
and FTPSurfer are not displaving contents of the directories. Whv does this happen 
and how can it be resolved? 


Possible Cause: Certain clients expect directory listing to be in UNIX-like format. 


Action: In the configuration file of the Netware FTP server, set the 
PSUEDO_PERMISSIONS parameters to ON in the configuration file (Default 
= sys: \etc\ftpserv.cfg). 


Why is an anonymous user not able to log on to the NetWare FTP server even after 
setting the ANONYMOUS_USER_ACCESS to ON in the configuration file? 


Explanation: The anonymous user might have been created manually by using a method 
other than nwftpd -a. 


Action: While creating an anonymous user, make sure that the anonymous user has 
been assigned a blank password and has been given proper access rights to the 
anonymous home directory. 


Explanation: The anonymous user login expects an e-mail address as input for the password. 
Most FTP servers check only for the at sign (@) sign in the password, but the 
NetWare FTP server checks for the at sign (@) followed by at least a single 
valid character. 
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I have an anonymous user account in the DEFAULT_FTP_CONTEXT. I am able to 
access my anonymous account irrespective of the current context that | am in, but 
why am I not able to do this for other user accounts present in the 
DEFAULT_FTP_CONTEXT? 


Explanation: Although all users are searched in the current session context and then also in 
the contexts specified in the SEARCH_LIST, the anonymous user is always 
searched only in the DEFAULT FTP CONTEXT irrespective of the current 
session context. The anonymous user is never searched in the contexts 
specified in the SEARCH_LIST because of security reasons. 


Action: Ifyou want all your users present in a particular context to be able to log in 
irrespective of the current session context, then include that context in the 
SEARCH LIST parameter of the configuration file. 


Even after | load the FTP server, why am | not able to connect to it from my client? 


Explanation: There were problems while loading the FTP Server, such as another 
application was using the same port. These problems are reported in the logger 
screen of the NetWare Server. 


Why is dynamic configuration of NetWare FTP Server not working? 


Explanation: Dynamic configuration does not take effect immediately if the ftpserv.cfg 
configuration file is modified by using Notepad or any application from a 
mapped drive. 


Action: Wait for the change to take effect. 
or 


For the changes to take effect immediately, use the iManager UI utility, or edit 
the file by using edit.nim. 


l am unable to get an entire directory from the server and the message "No Such file 
or Directory" is displaying. How do | resolve this? 


Possible Cause: You might be trying to get the entire directory without having that directory on 
your local disk. 


Action: Complete the following: 


1 Create a directory with the same directory name on the local disk, then 
execute get directory name. 


2 To get all files, do a CD to that directory on the server. 


Why am I unable to connect from a MAC IE client to NetWare FTP Server? 
Explanation: The MAC IE client prepends a / to home directory. Therefore, the FTP server 
assumes it to be a remote server navigation and does not respond. 
How do | make use of SITE Commands? 


Explanation: Most FTP clients have implemented the quote command to send arbitrary 
FTP command to the server. 
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Enter quote SITE help to get the list of valid SITE commands and use 
quote SITE SITE-cmd. 














If your FTP client has not implemented the quote command, find out how to 
send arbitrary or custom commands from your FTP clients and then send site 
site-cmd to make use of SITE commands. 


The cd multiple dots (cd ../) is not changing to a different volume. Why does this 
happen? 


Possible Cause: You are trying to access across volumes using the cd. ./ (multiple dots) 
command. 


Explanation: You cannot traverse across volumes using the cd. . / command. 


For example, if you are in /sys (where sys is a volume) and you execute cd 

. ./Vol, you are placed in / (root) and not in voll. Even if you specify a 
fictitious volume name, such as cd ../fictitious Vol, Netware FTP 
server cannot access beyond the / with this command. You are placed in / and 
no error is reported. 


Action: To change directories across volumes, use the cd command without multiple 
dots. 


How do | return to main page from the instance data page? 


Action: To return to the main page, click Cancel or click the FTP Task link in the left 
pane. 


Why is the iManager page displaying the default IP address values even though | 
have entered another value? 


Possible Cause: You might have entered special characters such as @ # $ % & * ()?< > as 
values for IP address or server passive IP address. 


Explanation: FTP behaves inconsistently if special characters are entered in the values for 
the IP address. The ftpstat page displays the value that the you enter, but the 
FTP iManager plug-in field displays the default values for these two 
parameters. At times, the FTP page does not come up if special characters are 
entered. 


Action: Click FTP in the left task link in ¡Manager to go to the FTP page again. 
After the modification time set, the file time stamp varies by a second. Is this all 
right? 
Explanation: Yes, when setting the modification time, the result varies from the value 
specified by a second. 
On a remote server, why are the values retrieved or set by the MDTM command not 
complying to its timezone? 


Explanation: The get and set values on file or directory on the remote server will comply to 
the local server time values where FTP is running. 
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Why am I unable to set the last modified time (MDTM) of a file or directory? 


Possible Cause: When setting the modified time (mdtm), for a volume, file, or directory, your 
current working directory might be root ( / ). 


Explanation: When setting mdtm for a volume or a file or a directory, using an absolute path 
does not work. 


Action: Change the directory to a valid volume or directory and try repeating the set 
MDTM operation from there. 


At times the FTP client hangs at '150 Opening Data connection...’. Why? 


Possible Cause: Certain FTP clients do not handle the error message sent by the server after a 
'150 Opening Data connection..’ reply. 


Action: Stop the FTP data connection and restart the FTP session. 


Why is it that a user with write access to a directory can set the timestamps for read- 
only files in a directory? 


Explanation: This is because of regular NetWare access methods. 


Action: To prevent this, remove the user's access rights to modify time. The related 
rights, such as modify and write that are to be removed are prohibitive. 


What if a user with read-only access tries to get the timestamp of a non-existent file? 


Explanation: Ifa user with read-only access tries to get the timestamp of a non-existent file, 
FTP Server returns the Restricted action error instead of Invalid path. 


This is because FTP Server now evaluates the mdtm command for both getting 
and setting timestamps, but it cannot evaluate the possibility of setting the 
timestamp for read-only users. 


Why does the FTP binding and loading fail when | set the 
FORCE_PASSIVE_ADDRESS as a DNS name? 


Explanation: Make sure that this value is in the standard IP address format and does not 
exceed 15 characters. The IP address should be valid and it should not contain 
any special characters such as @ # $ % & * ()?< >;. 


6.2 Using iManager to Configure FTP Server 


The following are questions about using iManager to configure FTP Server: 


While upgrading the iManager snap-ins from iManager configuration, a message 
displays, indicating "This package has an earlier version than the module that is 
currently installed. Installation has been cancelled." How can I resolve this? 


Action: To resolve this and install the latest FTP iManager snap-ins, delete the 
previous module. 


To delete the module, go to iManager menu > Configure > iManager 
configuration > Modules. 
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How do | resolve the error message “failed to unload the instance” when using 
multiple instance administration? 


Explanation: You might have unloaded multiple instances consecutively. 


Action: Complete the following: 


1 Click the Close button to come back to main page. This is because the 
unload instance has failed. 


2 Click the Refresh button to see the status of the instance. 


In the iManager page for FTP administration, pressing the Enter key after typing the 
server name does not display anything. 


Action: The Enter key functionality is not supported in this page. Instead of typing the 
server name, you can select the server by clicking the Object Selector icon. 
This displays a list of available FTP Server instances. 


Why is that when l access the FTPStat page by using the Monitor active FTP 
Sessions link in the FTP Server Administration Page and refresh it, the page 
contents do not not refresh and go blank instead? 


Explanation: The FTP Server Administration Page refreshes automatically every 10 
seconds. Because manual refresh is not supported, manually refreshing the 
page leads to a blank page. This behavior does not exist in other pages in 
ftpstat; pages other than the first page can be manually refreshed. 


Action: To view the refreshed page, click the Monitor active FTP Sessions link on the 
FTP Server Administration page. 


When I do a Ctrl N (^n) on configuration page of ftpstat, a new browser window (with 
the URL window displaying the IP address and port) is launched with same page 
contents in new window, even though ftpstat is now over a secure connection. Why? 


Explanation: When you execute Ctrl+N on the ftpstat page, the browser launches a new 
session with same URL in a new window. Ftpsat on the server, however, 
cannot distinguish it from the previous page, because the browser client does 
not distinguish between the old page and the newly opened window for the 
server. This results in the display of the same contents of the page in the new 
browser window. This is an issue with browser behavior and not with ftpstat. 


Is the FTP iManager plug-in well supported by all browsers? 


Explanation: Yes, it is. However, some of the browsers do not handle the ftpstat session 
timeout well. At times, the browser prompts the user to open/save file to disk 
for the cookie. 


Also, after 20 minutes, the session timeout message might not be displayed 
correctly by some of the browsers. There could be broken contents on the 


page. 


Action: These issues do not affect the FTP Server functionality. Ignore the browser 
prompt to open or save the file to disk for the cookie. 


Ignore the broken contents and open a new session by clicking the Monitor 
Active Sessions in iManager again. 
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6.3 Localization Issues 


The following are the NetWare FTP Server localization FAQs: 


When using FTP Server on a Japanese language machine, the user is not placed in 
the home directory. How can | resolve this? 


Action: To resolve this, replace backslashes (1) with forward slashes (/) as path 
separators in the user's home directory path. In ConsoleOne®, right-click User, 
then click Properties > General > Environment > Modify. 


Does FTP Server support files and directories created ina DOS name space ona 
server with double-byte characters? 


Explanation: If you create a file or directory ina DOS name space on a server with double- 
byte characters, the file or directory is created on that server with the name 
specified. However, the message to the FTP client might contain a different 
file or directory name. This happens in particular with the 0x8374 character in 
Shift_JIS, 30D5 in Unicode*, which is converted to 0x8354 in Shift_JIS, 
30B5. 
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NetWare FTP Server Messages 


This section explains NetWare® FTP Server messages along with possible causes and suggested 
actions to resolve the problems. 


+ Section A.1, “NWFTPD Messages,” on page 63 

+ Section A.2, “Anonymous User Creation,” on page 65 
+ Section A.3, “FTPSTAT Messages,” on page 66 

+ Section A.4, “FTPUPGRD Messages,” on page 67 


A.1 NWFTPD Messages 


Failed to bind to FTP port 
Source: nwftpd.nlm 
Explanation: The port that the NetWare FTP Server is trying to bind is busy. 


Possible Cause: Another instance of the NetWare FTP Server or another application is bound to 
the port. 


Action: Unload the application that is bound to the port, or bind the NetWare FTP 
Server to a different port. 


Failed to initialize Anonymous user 
Source: nwftpd.nlm 
Explanation: The NetWare FTP Server failed to create an anonymous user. 
Possible Cause: Incorrect data was entered to create the user. 


Action: Use the following syntax: 


nwftpd -a [-c [volname: [/dirname/...]]myconfig.cfg] 


Failed to add Anonymous User object to NDS 
Source: nwftpd.nlm 
Possible Cause: The administrator user entered has insufficient rights. 
Action: When prompted for the name of the administrator, enter a user with sufficient 
rights. 
Failed to generate an ObjectKeyPair for the Anonymous User 
Source: nwftpd.nlm 
Possible Cause: The anonymous user entered has insufficient rights. 


Action: Ensure that the anonymous user has sufficient rights. 


NetWare FTP Server Messages 


63 


64 


Failed to open configuration file 
Source: nwftpd.nlm 
Possible Cause: The configuration file is not available at the specified location. 


Action: Ensure that the configuration file is available at the specified location. 


Unable to find default configuration file 
Source: nwftpd.nlm 
Possible Cause: The configuration file is not available at the default location (sys : /etc). 


Action: Ensure that the configuration file is available at the default location. 


Unable to locate Anonymous user in default context 
Source: nwftpd.nlm 


Possible Cause: sys:etc\hosts has an incorrect or missing entry for its own server address 
and name, or the anonymous user does not exist at the NetWare FTP Server’s 
context. 


Action: Ensure that sys:etc\hosts contains an entry for its own server, in the format: 


ip address servername 





Run nwftpd -a to create the anonymous user, then reload nwftpd. 


USAGE : nwftpd [-a] [-c <Config File>] [-d] 
Source: nwftpd.nlm 
Possible Cause: The user might have tried to load nwftpd.n1m incorrectly. 


Action: To load FTP Server with the default configuration file, enter the following 
command: 


nwftpd 
To create an anonvmous user, use the following command: 
nwftpd -a 


To load FTP Server with a specific configuration filename, enter the following 
command svntax:: 


nwftpd -c [volname: [/dirname/...]]myconfig.cfg 
To disable dynamic configuration updates, enter the following command: 
nwftpd -d 

Aborting load. Configuration file not found. 


Possible Cause: The configuration file was not found in the location specified. 


Action: Ensure that the configuration file exists in the location specified. 
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UNLOAD_THIS_INSTANCE parameter set in the configuration file. Unloaded the 
corresponding instance. 


Possible Cause: The UI administration utility might have opted to stop this instance. 


Failed to get Server Context. 


Action: Verify the server context. If it is a bindery context, then give a valid context, or 
set the DEFAULT FTP CONTEXT parameter of the configuration file. 


Failed to create ContextHandle for FTPServer retcode=n 


Possible Cause: DS failure. 


A.2 Anonymous User Creation 


Login failed for user 
Possible Cause: The password might be invalid or the user does not exist. 


Action: Give the Admin User ID (or User ID with security equivalent to admin) and 
password. 


Failed to map Name to ID. Trying to contact Master server. This could take several 
minutes. 


Possible Cause: The server might be a read-only/non-replica server and the master server is 
down or the anonymous user object just created would not have been 
synchronized in the master server. 


Action: Try again later. 


Failed to allocate and initialize NDS buffers. 
Possible Cause: Inadequate system memory. 


Action: Free some system memory. 


Failed to add Anonymous user object to NDS. 


Possible Cause: The username should have security equivalent to admin to create an 
anonymous user object. 


Action: Create an admin user (or user with security equivalent to admin) and 
password. 


Failed to generate an ObjectKeyPair for the Anonymous object. 


Possible Cause: The username should have security equivalent to admin to create an 
anonymous user object. 


Action: Create an admin user (or user with security equivalent to admin) and 
password. 
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Failed to open a connection with the local server 
Possible Cause: The NCP connection table might be full. 
Action: Do the following: 


1 Load monitor.nlm. 


2 Clear the connections that are not required. 


Failed to create Anonymous home directory 


Possible Cause: Any of the following: 


+ The username might not be security equivalent to admin to create an 
anonymous user object 


+ The volume does not exist 
+ There is a directory I/O error 


+ There is a hardware failure 


Failed to add rights to Anonymous user 


Possible Cause: Any of the following: 


+ The username might not be security equivalent to admin to create an 
anonymous user object 


+ The volume does not exist 
+ There is a directory I/O error 


+ There is a hardware failure 


Failed to initialize Anonymous user access 
Possible Cause: Any of the following: 
¢ The user should be security equivalent to an admin user 


+ The memory is insufficient 


¢ The local server might be a read-only/no-replica server and the master 
server is down or not reachable 


+ The connection table might be full 


A.3 FTPSTAT Messages 


USAGE: ftpstat [-p <port number>] 
Possible Cause: The user might have tried to load ftpstat.nl1m incorrectly. 


Action: To load ftpstat with the default port number (2500), enter the following 
command: 


ftpstat 


To load ftpstat on a different port number, use the following command syntax: 
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ftpstat -p port number 


Unable to bind to port 


Possible Cause: The port that the ftpstat.n1m is trying to bind is busy. Another instance of 
the ftpstat.nlm or another application might be bound to the port. 


Action: Unload the application that is bound to the port, or bind the ftpstat to a 
different port. 


Invalid port number, binding to default port, valid range is 1 to 65534 


Action: Give a valid port number. 


A.4 FTPUPGRD Messages 


Could not create the .cfg file. 
Source: FtpUpgrd.nlm 


Possible Cause: 
The configuration file does not exist for the NetWare FTP Server upgrade, or 
the existing configuration file has read-only access. 


Action: Modify the file access if it is read-only, or specify the correct configuration file 
name with the following command: 


ftpupgrd [-c [volname: [/dirname/...]]myconfig.cfg] 


Could not create the NetWare FTP Server Restriction file. 
Source: FtpUpgrd.nlm 


Possible Cause: The restriction file does not exist for NetWare FTP Server upgrade, or the 
existing restriction file has read-only access. 


Action: Modify the file access if it is read-only, or specify the correct restriction 
filename. 


Failed to upgrade 
Source: FtpUpgrd.nlm 
Possible Cause: Any of the following: 
+ The configuration file does not exist for the NetWare FTP Server upgrade 
¢ The existing configuration file has read-only access 
¢ The restriction file does not exist for the NetWare FTP Server upgrade 
¢ The existing Restriction file has read-only access 


Action: Modify the file access if it’s read-only, or specify the correct configuration file 
name with the following command: 


ftpupgrd [-c [volname:[/dirname/...]]myconfig.cfg] 
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Correct Usage: ftpupgrd [-c <Config File>] 
Source: FtpUpgrd.nlm 
Possible Cause: The user might have tried to load FtpUpgrd.n1m incorrectly. 


Action: Use the following command syntax: 


ftpupgrd [-c [volname:[/dirname/...]|myconfig.cfg] 
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Documentation Updates 


+ Section B.1, “November 9, 2009,” on page 69 
€ Section B.2, “December 2008,” on page 69 
¢ Section B.3, “June 20, 2007,” on page 69 


B.1 November 9, 2009 


This guide has been modified for publication on the NetWare 6.5 SP8 Documentation Web site. 


B.2 December 2008 


+ Migration chapter revised and moved out to OES 2 SP2: Migration Tool Administration Guide. 


+ Updated to the latest file template. 


+ Edited the guide for changes in some sections. 


B.3 June 20, 2007 


+ Added new chapter Chapter 5, “Migrating FTP from NetWare to OES 2 Linux,” on page 53. 
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